Just a friendly tip about some of your homepage's display elements. You have some detailed graphics in your hero image header that would benefit from slowing the image-carousel timer down a bit.
I would also consider slowing down the timer that controls some of the other animated 'switching' elements on the page, such as the 'word-rotator' you are using to cleverly change sentences.
I second this as I nearly stopped reading the page because of it. Also, most sites give a NoScript warning that goes away upon reload. This site directs us to a specific page, requires the usual "Allow," and then asks us to manually go back to the homepage. Only one I've run into in ages doing this. They should take the more common route of building the warning into the main page.
In Germany 33 non-conformist were also called backwards and conservative. The Web today is Germany 33 and js is the elephant in the room who makes life a little bit worse.
Disabling JS on mobile is a godsend though. I keep JS disabled on my phone[1] most of the time and it's generally just a more pleasant experience. I don't even have a particularly slow phone (HTC One M8, I guess it's a couple years old now but it's held up well) but the speed improvement is very noticeable.
We may be crazy but we have our reasons.
1. The very nifty Lightning browser <https://github.com/anthonycr/Lightning-Browser> exposes a convenient setting for this; there's very little menu digging involved if I want to enable it.
I don't really sympathize with the NoJS crowd. If nothing else, you could write a plugin that allows JS but intercepts/drops network calls. Then it doesn't really matter what the JS is doing.
SpiderOak offers encrypted backups. This is a good thing. It doesn't specify how it's stored on their end (presumably because it doesn't matter to the end user). So that's an unknown.
Bytejail offers encrypted anonymous backups (via Tor Hidden Service) and uses a TahoeLAFS backend. My understanding of TahoeLAFS is that it's excellent. So if you're security-conscious, Bytejail would seem like a better choice.
(I'm not familiar enough with SpiderOak to comment on their offering in detail; I can only really go off the page you linked.)
SpiderOak uses RSA-2048 + AES-256. (Is it AES-256-CTR + HMAC-SHA2 or is it AES-256-GCM? That page doesn't specify.)
Bytejail uses scrypt. SpiderOak uses PBKDF2-SHA256 with 16384 iterations.
My earlier comment was saying: Bytejail uses TahoeLAFS on the backend after receiving encrypted blobs. SpiderOak uses ________?
Again, to clarify: This isn't a crticism of SpiderOak. I just literally don't know what they are doing from the pages people have linked to in this thread.
I don't know much about Bytejail or their offering; but I'd say one major, non-technical difference is that Bytejail is a German company with servers located entirely outside of the US. In theory, this makes search-and-seizure of customer data subject to German statutes, which are currently much stronger than US law in terms of privacy.
>SpiderOak's policy is to notify a user of a request for their personal data stored on our servers prior to disclosure unless prohibited from doing so by statute or court order [e.g. U.S.C. § 2705(b)].
Exactly. You can't trust any security company operating in U.S. legal system. I say that as an American doing INFOSEC work. The company must be located in and at least jointly-owned by a privacy friendly jurisdiction. Little police corruption helps, too.
No logging, multiple locations, not subject to NSLs or US law, audited codebase, based on open source software (Tahoe-LAFS) and it's not SpiderOak (I see that as a feature given my experience with their client and support).
The amount of animation on the page makes it really hard to look at.
E: from the graph it seems they are using Tahoe-LAFS[1] for the backend. However I won't be trusting this unless they make the frontend free software as well.
E^2: OpenPGP smartcard authentication would also be a nice feature. Thought of this because they seem to recommend YubiKeys and password managers so why not smartcards as well.
E^3: The reason for OpenPGP smarcard instead of YubiKey is that there is there it at least one completely open hardware and free software implementation for that, the FST-01[2].
It looks interesting and I don't mean to be cheap or petty but I just can't justify that pricing. For 9EUR a month I can get 512GB of storage on Google Cloud Storage or 341GB on Amazon S3 and shove http://infinit.sh/ on top and get most of these benefits.
I'm willing to pay for secure storage but I'm not willing to pay $5.6/GB/month for it.
29 comments
[ 0.25 ms ] story [ 72.3 ms ] threadJust a friendly tip about some of your homepage's display elements. You have some detailed graphics in your hero image header that would benefit from slowing the image-carousel timer down a bit.
I would also consider slowing down the timer that controls some of the other animated 'switching' elements on the page, such as the 'word-rotator' you are using to cleverly change sentences.
Good way to keep stubborn technical users from learning about your project, whatever it may be.
We may be crazy but we have our reasons.
1. The very nifty Lightning browser <https://github.com/anthonycr/Lightning-Browser> exposes a convenient setting for this; there's very little menu digging involved if I want to enable it.
What is the advantage of this over SpiderOak?
https://spideroak.com/solutions/spideroak-one
> SpiderOakONE is the leading private backup solution and is 100% Zero Knowledge. Get a ton of space for only $12 a month.
To me, it seems like a more expensive version.
SpiderOak offers encrypted backups. This is a good thing. It doesn't specify how it's stored on their end (presumably because it doesn't matter to the end user). So that's an unknown.
Bytejail offers encrypted anonymous backups (via Tor Hidden Service) and uses a TahoeLAFS backend. My understanding of TahoeLAFS is that it's excellent. So if you're security-conscious, Bytejail would seem like a better choice.
(I'm not familiar enough with SpiderOak to comment on their offering in detail; I can only really go off the page you linked.)
Its local encryption then copies the resulting blob to SpiderOak. Lose your password, lose your ability to decrypt as you need it to decrypt locally.
Bytejail uses X25519 + Xsalsa20Poly1305.
SpiderOak uses RSA-2048 + AES-256. (Is it AES-256-CTR + HMAC-SHA2 or is it AES-256-GCM? That page doesn't specify.)
Bytejail uses scrypt. SpiderOak uses PBKDF2-SHA256 with 16384 iterations.
My earlier comment was saying: Bytejail uses TahoeLAFS on the backend after receiving encrypted blobs. SpiderOak uses ________?
Again, to clarify: This isn't a crticism of SpiderOak. I just literally don't know what they are doing from the pages people have linked to in this thread.
Take a look at SpiderOak's privacy policy, under the "Disclosure" section (https://spideroak.com/policy/privacy-policy):
>SpiderOak's policy is to notify a user of a request for their personal data stored on our servers prior to disclosure unless prohibited from doing so by statute or court order [e.g. U.S.C. § 2705(b)].
That would be NSLs.
E: from the graph it seems they are using Tahoe-LAFS[1] for the backend. However I won't be trusting this unless they make the frontend free software as well.
E^2: OpenPGP smartcard authentication would also be a nice feature. Thought of this because they seem to recommend YubiKeys and password managers so why not smartcards as well.
E^3: The reason for OpenPGP smarcard instead of YubiKey is that there is there it at least one completely open hardware and free software implementation for that, the FST-01[2].
[1]: https://tahoe-lafs.org/trac/tahoe-lafs [2]: http://www.seeedstudio.com/wiki/FST-01
> NIST-free encryption
Not so long ago most would have trumpted about using NIST encryption... how the world has changed!
(I did some of the code audits.)
I'm willing to pay for secure storage but I'm not willing to pay $5.6/GB/month for it.